Checkpoint: Forcing Services over a specific ISP link with ISP Redundancy Load-Sharing

Caveats / Notes

  • You can force services over the 1st ISP link but not the 2nd. In the event of the 1st link going down, all services will be routed through the 2nd.
  • This will take effect on all firewalls running ISP Redundancy.
  • Other outgoing connections will be distributed evenly between the 2 links.

You will need to open the file  $FWDIR/lib/table.def and edit the no_misp_services_ports table on the SmartCenter server.

The table has the format <port,protocol> as in the following example:

no_misp_services_ports = { <500, 17>, <259,17>};

The above states that UDP port 500 (ISAKMP) and 259 (CheckPoint Client Auth) traffic is routed out via the 1st link

So if you would like to route web and ssh traffic over the 1st link as well, you would specify:

no_misp_services_ports = { <500, 17>, <259,17>, <80,6>, <22,6>};

Don’t forget to push the policy once the changes have been made

The links below are handy for reference:

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

http://en.wikipedia.org/wiki/Transmission_Control_Protocol

http://en.wikipedia.org/wiki/User_Datagram_Protocol

Checkpoint: Nokia Clish Command Reference

Some clish commands that are incredibly handy but not worth committing to memory as they’re only used every 4th blue moon .. Thanks secmanager.org.

—setting default gateway
set static-route default nexthop gateway address 192.168.29.2 priority 1 on

—adding static routes
set static-route 172.23.124.150/32 nexthop gateway address 192.168.29.50 on

—Add proxy arp
add arpproxy address 192.168.29.56 macaddress 0:a0:8e:7d:13:d0
add arpproxy address 192.168.29.57 macaddress 0:a0:8e:7d:13:d0

—Add an interface
set interface eth1 speed 100M duplex full active on
add interface eth1c0 address 192.168.29.54/24 enable

—VRRP

set vrrp accept-connections on
set vrrp coldstart-delay 60

set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 priority 100
set vrrp interface eth1c0 monitored-circuit vrid 54 hello-interval 1
set vrrp interface eth1c0 monitored-circuit vrid 54 vmac-mode default-vmac
set vrrp interface eth1c0 monitored-circuit vrid 54 backup-address 192.168.29.1 on

—Set ntp servers

add ntp server 10.1.1.2 version 3 prefer yes
add ntp server 10.1.1.1 version 3 prefer yes

—Setting Time zone

set date timezone-city “Greenwich (GMT)”

—Add hostname

set hostname testbox

—Add Host address assignments

add host name testbox ipv4 192.168.29.54